02-25-2011 12:35 AM
I have a SSG140 with ScreenOS 6.3.0 R6.0
I restored the factory settings and I using the wizard to created a new configuration.
The situation is simple:
192.168.0.X a small network that should be able to surf the internet through a router.
The two interfaces are eth 0/0 trust 192.168.0.1 Interface Mode: NAT - eth 0/2 Untrusted 10.11.12.2 Interface Mode: Route
Between the LAN and Router I put the Juniper SSG140.
It works all, the LAN clients surf the Internet protected to ssg140.
Within the LAN address 192.168.0.100 is a server running a proprietary application
that responds to customer requests on TCP ports 30000, 33001, 35001 and must be reachable from the internet.
I found plenty of documentation on the subject and all the descriptions on how to configure the SSG140 coincide:
Create a VIP-Untrusted interface 0 / 2:
Network> Interfaces> Edit (for ethernet 0 / 2)> VIP: Enter The following address,
then click Add:
Virtual IP Address: 10.11.12.5
Network> Interfaces> Edit (for ethernet 0 / 2)> VIP> New VIP Service: Enter
the following, then click OK:
Virtual IP: 10.11.12.5
Virtual Port: 30000
Map to Service: Service1 (port 30000, created earlier in the Policy> Policy Elements> Services> Custom)
Map to IP: 192.168.0.100
Then I created the policy :
Untrust to trust ( i have found documentation the say Untrust to global , where is right?)
Address Book Entry: (select), ANY
Address Book Entry: (select), VIP (10.11.12.5)
Service: Service1 (30000)
I have enable the VIP to support multiple-port services, i enter the
CLI command set vip multi-port, save the configuration, and then reboot the device.
external clients can not reach the internal server.
Is there any trick or any problem with ScreenOS 6.3.0 R6.0?
I look forward to your own advice.
03-01-2011 09:04 AM
What you've done so far looks correct. There could a few things causing issues here.
First, 10.11.12.x is an RFC1918 private address. You stated that you want your internal network (192.168.0.x) to be able to surf the internet, and you've set your eth0/0 interface into NAT mode. That will NAT your outgoing requests to the 10.11.12.2 IP from your eth0/2 interface. That IP is not routable on the internet. Are you doing another level of NAT somewhere else on the network?
Second, what is the subnet mask for your eth0/2 connection to your router? If it's not /24, then your router might not have a route to your VIP address of 10.11.12.5.
To answer your question, creating the policy from untrust to trust is correct. I recommend that people never modify the global policy unless they have a very specific reason to do so.
Third -- a VIP may more more complicated than you need. If this is going to be a 1-1 public IP to private IP mapping, you could use a MIP, and it makes the configuration easier (in my opinion). A VIP is primarily used when you have to have a single public IP mapping into multiple internal IPs based on port numbers.
Finally, and this relates back to the first point -- your VIP of 10.11.12.5 is again, private address space. Nothing on the the internet is going to be able to connect to that address. Again, are you doing another layer of NAT on the network?
If you provide a diagram of how your network topology looks it would give us some insight into the issue. Also, you could post your configuration of your SSG140. If you continue to have troubles, we can help you run some debugs to see where the traffic is failing, but you'll need to address the points I made above before we go further.
03-02-2011 07:15 AM - edited 03-02-2011 07:16 AM
thanks for the reply
I solved the problem by downgrading the ScreenOS
from version 6.3.0 R 6.0 to version 6.2 r 9.0.
Now everything is working correctly.
Do you know if the 6.3 version has problems?